README
¶
go-saml
High-level API library for Single Sign On with SAML 2.0 based on etree and signedxml, a pure Go implementation
The library supports:
- validating signed/unsigned AuthnRequests
- generating identity provider metadata
- generating signed Responses
- validating signed/unsigned LogoutRequest
- generating signed LogoutResponses
##Installation
Install go-saml into your $GOPATH using go get:
go get github.com/LoginRadius/go-saml
##Usage Below are samples to show how you might use the library.
Create Idp Provider Instance
idp := saml.IdentityProvider{
IsIdpInitiated: false,
Issuer: "https://identity-provider.com/",
Audiences: "https://service-provider.com/",
IDPCert: "<IDPCert PEM Format>",
IDPKey: "<IDPKey PEM Format>",
SPCert: "<SPCert PEM Format>",
NameIdentifier: "john@idp.com",
NameIdentifierFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
ACSLocation: "https://service-provider-acs.com", //Service Provider Login Url
ACSBinging: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
SessionIndex: "1ac5bc03-06a1-413d-8542-e7a7e7d9e9f2",
}
//Add Attributes
idp.Attributes = append(idp.Attributes, map[string]string{
"Name" : "user.firstname"
"Value" : "john"
"Format" : "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
})
Validate and Parse AuthnRequest
if !idp.IsIdpInitiated {
validationError := idp.ParseLoginRequest("POST","<QueryString of type url.Values>","<Payload of type url.Values>", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
if validationError !=nil {
return validationError
}
}
Generate SAML Response
signedXML, signedXMLErr := idp.NewSignedLoginResponse()
if signedXMLErr != nil {
return signedXMLErr
}
//Generate html content for Post
html, err := idp.ResponseHtml(signedXML, "Response")
if err !=nil {
return err
}
Sample: Generated Response XML:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://lridpapp.my.salesforce.com"
ID="_738d9938-e750-4a46-bd7c-b4ca3d115242"
Version="2.0"
IssueInstant="2020-09-16T12:53:14Z">
<saml:Issuer>https://identity-provider.com/</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion ID="_4f197b0e-f1e2-4f69-a446-724420c871e9"
Version="2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
IssueInstant="2020-09-16T12:53:14Z">
<saml:Issuer>https://internal-jitender-van.hub.loginradius.com/</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_4f197b0e-f1e2-4f69-a446-724420c871e9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>wtVnJ8ifjsZr4Gd0uCXZ6SSF8um8qlZpOT1lyyWGlrA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
CtatENT1TwLQ...kgjgfZ0ijDrqg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEbTCCA1WgAw...MIIEbTCCA1WgAw
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">john@idp.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2020-09-16T12:58:14Z"
Recipient="https://service-provider-acs.com" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-09-16T12:48:14Z"
NotOnOrAfter="2020-09-16T12:58:14Z">
<saml:AudienceRestriction>
<saml:Audience>https://service-provider.com/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-09-16T12:53:14Z"
SessionIndex="1ac5bc03-06a1-413d-8542-e7a7e7d9e9f2">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="user.firstname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">john</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Documentation
¶
Index ¶
- Constants
- type Fall
- type IdentityProvider
- func (idp *IdentityProvider) MetaDataResponse() (string, error)
- func (idp *IdentityProvider) NewSignedLoginResponse() (string, error)
- func (idp *IdentityProvider) NewSignedLogoutResponse() (string, error)
- func (idp *IdentityProvider) ParseLoginRequest(method string, query url.Values, payload url.Values, httpBinding string) *Fall
- func (idp *IdentityProvider) ParseLogoutRequest(method string, query url.Values, payload url.Values, httpBinding string) *Fall
- func (idp *IdentityProvider) ResponseHtml(signedXML string, requestType string) (string, error)
- type MetadataBinding
- type SamlRequestParam
Constants ¶
View Source
const HTTPPostBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
HTTPPostBinding is the official URN for the HTTP-POST binding (transport)
View Source
const HTTPRedirectBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
HTTPRedirectBinding is the official URN for the HTTP-Redirect binding (transport)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type IdentityProvider ¶
type IdentityProvider struct {
IsIdpInitiated bool
Issuer string
Audiences []string
IDPCert string
IDPKey string
SPCert string
Attributes []map[string]string
SignatureAlgorithm string
SignaturePrefix string
DigestAlgorithm string
LifetimeInSeconds int64
NameIdentifier string
NameIdentifierFormat string
ACSLocation string
ACSBinging string
LogoutUrl string
RelayState string
SessionIndex string
SingleSignOnService []MetadataBinding
SingleSignOutService []MetadataBinding
// contains filtered or unexported fields
}
func (*IdentityProvider) MetaDataResponse ¶
func (idp *IdentityProvider) MetaDataResponse() (string, error)
func (*IdentityProvider) NewSignedLoginResponse ¶
func (idp *IdentityProvider) NewSignedLoginResponse() (string, error)
func (*IdentityProvider) NewSignedLogoutResponse ¶
func (idp *IdentityProvider) NewSignedLogoutResponse() (string, error)
func (*IdentityProvider) ParseLoginRequest ¶
func (*IdentityProvider) ParseLogoutRequest ¶
func (*IdentityProvider) ResponseHtml ¶
func (idp *IdentityProvider) ResponseHtml(signedXML string, requestType string) (string, error)
type MetadataBinding ¶
type SamlRequestParam ¶
type SamlRequestParam struct {
Method string
RequestBuffer []byte
SAMLRequest string
RelayState string
SigAlg string
Signature string
AuthnRequest *lib.AuthnRequest
LogoutRequest *lib.LogoutRequest
}
func (*SamlRequestParam) CheckSignature ¶
func (s *SamlRequestParam) CheckSignature(idp *IdentityProvider) error
func (*SamlRequestParam) GetOctetString ¶
func (sqp *SamlRequestParam) GetOctetString() string
func (*SamlRequestParam) ParseAuthnRequest ¶
func (sqp *SamlRequestParam) ParseAuthnRequest() error
func (*SamlRequestParam) ParseLogoutRequest ¶
func (sqp *SamlRequestParam) ParseLogoutRequest() error
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.